Skip to content

CI: add least-privilege permissions to GitHub Actions workflows#72

Merged
testableapple merged 14 commits into
developfrom
ci/workflow-least-privilege-permissions
Jul 9, 2026
Merged

CI: add least-privilege permissions to GitHub Actions workflows#72
testableapple merged 14 commits into
developfrom
ci/workflow-least-privilege-permissions

Conversation

@peter-matkovski

@peter-matkovski peter-matkovski commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

Summary

  • Add explicit least-privilege permissions blocks to workflow files flagged by CodeQL.
  • Scopes derived from workflow operations (build, artifacts, Danger, release git push).
  • Resolves 17 open actions/missing-workflow-permissions alerts.

Linear

Test plan

  • CI green
  • Code scanning alerts close after merge

Summary by CodeRabbit

  • Chores
    • Updated multiple automation workflows to define explicit, least-privilege GitHub Actions token permissions at the workflow level.
    • Release, merge, testing, metrics, static analysis, smoke checks, maintenance, and SDK sizing workflows now run with scoped access rather than default permissions, improving security.

Add explicit workflow-level permissions blocks to resolve CodeQL
actions/missing-workflow-permissions alerts. Scopes are derived from
workflow operations (git push, artifact upload, Danger, release lanes).

Refs: APPSEC-164
Add explicit workflow-level permissions blocks to resolve CodeQL
actions/missing-workflow-permissions alerts. Scopes are derived from
workflow operations (git push, artifact upload, Danger, release lanes).

Refs: APPSEC-164
Add explicit workflow-level permissions blocks to resolve CodeQL
actions/missing-workflow-permissions alerts. Scopes are derived from
workflow operations (git push, artifact upload, Danger, release lanes).

Refs: APPSEC-164
Add explicit workflow-level permissions blocks to resolve CodeQL
actions/missing-workflow-permissions alerts. Scopes are derived from
workflow operations (git push, artifact upload, Danger, release lanes).

Refs: APPSEC-164
Add explicit workflow-level permissions blocks to resolve CodeQL
actions/missing-workflow-permissions alerts. Scopes are derived from
workflow operations (git push, artifact upload, Danger, release lanes).

Refs: APPSEC-164
Add explicit workflow-level permissions blocks to resolve CodeQL
actions/missing-workflow-permissions alerts. Scopes are derived from
workflow operations (git push, artifact upload, Danger, release lanes).

Refs: APPSEC-164
Add explicit workflow-level permissions blocks to resolve CodeQL
actions/missing-workflow-permissions alerts. Scopes are derived from
workflow operations (git push, artifact upload, Danger, release lanes).

Refs: APPSEC-164
Add explicit workflow-level permissions blocks to resolve CodeQL
actions/missing-workflow-permissions alerts. Scopes are derived from
workflow operations (git push, artifact upload, Danger, release lanes).

Refs: APPSEC-164
Add explicit workflow-level permissions blocks to resolve CodeQL
actions/missing-workflow-permissions alerts. Scopes are derived from
workflow operations (git push, artifact upload, Danger, release lanes).

Refs: APPSEC-164
@peter-matkovski peter-matkovski requested a review from a team as a code owner July 8, 2026 11:25
@coderabbitai

coderabbitai Bot commented Jul 8, 2026

Copy link
Copy Markdown

Review Change Stack

Warning

Review limit reached

@testableapple, you've reached your PR review limit, so we couldn't start this review.

Next review available in: 9 minutes

Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available.
You're only billed for reviews past your plan's rate limits ($0.25/file).

How can I continue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews.

How do review limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please refer docs for additional details.

Review details
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: c8a8d94f-2520-476c-8f99-16adaa679bda

📥 Commits

Reviewing files that changed from the base of the PR and between 31dd455 and f5a497c.

📒 Files selected for processing (1)
  • .github/workflows/smoke-checks.yml
📝 Walkthrough

Walkthrough

Nine GitHub Actions workflows now define explicit top-level permissions blocks, setting workflow token access for actions, contents, and pull-requests in CI, release, testflight, and copyright jobs.

Changes

Workflow Permissions Hardening

Layer / File(s) Summary
CI/check workflow permissions
.github/workflows/cron-checks.yml, .github/workflows/smoke-checks.yml, .github/workflows/sdk-size-metrics.yml, .github/workflows/sonar.yml
Each workflow adds a top-level permissions block for its CI/check jobs, with read-only or write access scoped per workflow.
Release workflow permissions
.github/workflows/release-start.yml, .github/workflows/release-publish.yml, .github/workflows/release-merge.yml
Each release workflow adds a top-level permissions block for the release flow, including contents and actions write scopes where needed.
Testflight and copyright workflow permissions
.github/workflows/testflight.yml, .github/workflows/update-copyright.yml
Each workflow adds a top-level permissions block with read or write scopes for contents and pull-requests.

Estimated code review effort: 1 (Trivial) | ~5 minutes

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately summarizes the main change: adding least-privilege permissions to GitHub Actions workflows.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch ci/workflow-least-privilege-permissions

Warning

Review ran into problems

🔥 Problems

Git: Failed to clone repository. Please run the @coderabbitai full review command to re-trigger a full review. If the issue persists, set path_filters to include or exclude specific files.


Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 4

🧹 Nitpick comments (2)
.github/workflows/release-publish.yml (1)

6-8: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick win

Scope contents: write to the release job only.

The merge-main-to-develop job uses ADMIN_API_TOKEN for both checkout and all git operations (lines 40, 47), so it does not need contents: write on the Actions GITHUB_TOKEN. Workflow-level contents: write unnecessarily grants write access to that job. Consider moving the permission to the release job and using a more restrictive workflow-level default.

zizmor also flagged this as excessive-permissions.

🔒 Suggested refactor: job-level permission scoping
 permissions:
-  contents: write
+  contents: read
 
 jobs:
   release:
     name: Publish new release
     runs-on: macos-15
+    permissions:
+      contents: write
     steps:
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/release-publish.yml around lines 6 - 8, The workflow
currently grants `contents: write` at the top level, which gives unnecessary
write access to every job. Move that permission to the `release` job in
`release-publish.yml` and make the workflow-level permissions more restrictive
so `merge-main-to-develop` only uses `ADMIN_API_TOKEN` for checkout and git
operations. Use the `release` job as the only place that needs `contents:
write`, and keep the rest of the workflow scoped to the minimum required
permissions.

Source: Linters/SAST tools

.github/workflows/release-merge.yml (1)

9-12: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick win

Downgrade contents to read in .github/workflows/release-merge.yml actions/checkout is the only step using the default GITHUB_TOKEN, and the merge step overrides it with ADMIN_API_TOKEN, so contents: read should be enough.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/release-merge.yml around lines 9 - 12, The workflow
permissions are too broad because the release-merge job only needs read access
to repository contents. Update the permissions block in the release merge
workflow to use read for contents while keeping pull-requests read, since
actions/checkout is the only step using GITHUB_TOKEN and the merge step already
uses ADMIN_API_TOKEN. Locate the permissions section in the release-merge
workflow and adjust it there.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/cron-checks.yml:
- Around line 18-21: The workflow permissions include an unnecessary actions:
write scope; update the permissions block in cron-checks.yml to keep only the
access needed by the job, since upload-artifact does not require the Actions API
scope. Check the workflow steps that use actions/upload-artifact@v4 and remove
actions: write unless another step explicitly needs to manage artifacts through
the Actions API/UI.

In @.github/workflows/sdk-size-metrics.yml:
- Around line 15-18: The workflow permissions block is missing the `actions:
write` scope required by the `ci-guard` step, so add that permission alongside
the existing `contents` and `pull-requests` access. Update the permissions in
the `sdk-size-metrics` workflow where the `ci-guard` composite action is used so
its `gh run cancel` call can succeed under the default `GITHUB_TOKEN`, matching
the permissions used in `smoke-checks`.

In @.github/workflows/smoke-checks.yml:
- Around line 27-31: Update the permissions block in the smoke-checks workflow
to align with ci-guard’s documented requirements: keep actions: write for the gh
run cancel path, but change pull-requests in the permissions for the workflow
that invokes the ci-guard composite action to read instead of write. Use the
existing permissions stanza in the workflow as the target, and ensure the change
matches the ci-guard action’s documented token scope.

In @.github/workflows/sonar.yml:
- Around line 15-17: The workflow token permissions are missing the access
needed for the GitHub Actions API calls used by the sonar workflow. Update the
permissions block in the workflow so it includes actions: read alongside
contents: read, ensuring the steps that use gh api and gh run download can
access artifacts and run data correctly.

---

Nitpick comments:
In @.github/workflows/release-merge.yml:
- Around line 9-12: The workflow permissions are too broad because the
release-merge job only needs read access to repository contents. Update the
permissions block in the release merge workflow to use read for contents while
keeping pull-requests read, since actions/checkout is the only step using
GITHUB_TOKEN and the merge step already uses ADMIN_API_TOKEN. Locate the
permissions section in the release-merge workflow and adjust it there.

In @.github/workflows/release-publish.yml:
- Around line 6-8: The workflow currently grants `contents: write` at the top
level, which gives unnecessary write access to every job. Move that permission
to the `release` job in `release-publish.yml` and make the workflow-level
permissions more restrictive so `merge-main-to-develop` only uses
`ADMIN_API_TOKEN` for checkout and git operations. Use the `release` job as the
only place that needs `contents: write`, and keep the rest of the workflow
scoped to the minimum required permissions.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 1fdd4673-6662-41ac-bc2d-33b4b8c37f55

📥 Commits

Reviewing files that changed from the base of the PR and between 5223aa2 and 5d424a3.

📒 Files selected for processing (9)
  • .github/workflows/cron-checks.yml
  • .github/workflows/release-merge.yml
  • .github/workflows/release-publish.yml
  • .github/workflows/release-start.yml
  • .github/workflows/sdk-size-metrics.yml
  • .github/workflows/smoke-checks.yml
  • .github/workflows/sonar.yml
  • .github/workflows/testflight.yml
  • .github/workflows/update-copyright.yml

Comment thread .github/workflows/cron-checks.yml
Comment thread .github/workflows/sdk-size-metrics.yml
Comment thread .github/workflows/smoke-checks.yml
Comment thread .github/workflows/sonar.yml
@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown

Public Interface

🚀 No changes affecting the public interface.

@peter-matkovski peter-matkovski self-assigned this Jul 8, 2026
@testableapple testableapple enabled auto-merge (squash) July 9, 2026 11:37
@testableapple testableapple disabled auto-merge July 9, 2026 12:04
@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown
3 Errors
🚫 Please start subject with capital letter.
d1f0636
🚫 Please start subject with capital letter.
00707d5
🚫 Please start subject with capital letter.
219a133

Generated by 🚫 Danger

@Stream-SDK-Bot

Copy link
Copy Markdown
Collaborator

SDK Size

title develop branch diff status
StreamFeeds 7.26 MB 7.26 MB 0 KB 🟢

@sonarqubecloud

sonarqubecloud Bot commented Jul 9, 2026

Copy link
Copy Markdown

@testableapple testableapple merged commit 4097789 into develop Jul 9, 2026
13 of 16 checks passed
@testableapple testableapple deleted the ci/workflow-least-privilege-permissions branch July 9, 2026 14:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants